Class: RoleBasedAuthorization::Rule

Inherits:

Object

Object
RoleBasedAuthorization::Rule

Defined in:: lib/role_based_authorization/rule.rb

Overview

Model an authorization rule. A rule is a triplet: <roles, cond, object_id> a rule match if the user role is in roles and cond (if not nil) is satisfied when objects are retrieved using object_id.

Instance Method Summary collapse

#initialize(roles, cond, object_id) ⇒ Rule constructor

rule initialization.
#inspect ⇒ Object

string representation for this rule.
#match(user, objects) ⇒ Object

return true if this rule matches the given user and objects.

Constructor Details

#initialize(roles, cond, object_id) ⇒ `Rule`

rule initialization. roles is mandatory, cond is optional, object_id defaults to :id if nil.

# File 'lib/role_based_authorization/rule.rb', line 9

def initialize roles, cond, object_id
  roles = [roles] unless roles.respond_to? :each

  @roles = roles
  @cond = cond
  @object_id = object_id || :id
end

Instance Method Details

#inspect ⇒ `Object`

string representation for this rule

# File 'lib/role_based_authorization/rule.rb', line 35

def inspect
  str =  "rule(#{self.object_id}): allow roles [" + @roles.join(',') + "]"
  str += " (only under condition object_id will be retrieved using '#{@object_id}')" if @cond

  str
end

#match(user, objects) ⇒ `Object`

return true if this rule matches the given user and objects

# File 'lib/role_based_authorization/rule.rb', line 18

def match(user, objects)      
  AUTHORIZATION_LOGGER.debug('trying '+self.inspect)

  matching = @roles.include?(:all)

  # checking for right role (no need to check them if already matching)
  matching = !@roles.find { |role| !user.nil? && role == user.role }.nil? if !matching

  if @cond.nil?
    return matching
  else
    # to have a proper match, also the condition must hold
    return matching && @cond.call(user,objects[@object_id])
  end
end